Re: [squid-users] strange reply denials based on rule ordering from Amos Jeffries on 2013-12-31 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 31 Dec 2013 23:28:28 +1300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 31/12/2013 4:56 a.m., Brian J. Murrell wrote:
> Hello,
>
> I've come across a recurring issue where Squid (3.2.1) will deny
> replies (TCP_DENIED_REPLY/403) purely based on where in the rule
> list (which is all allows with one deny at the end) the rule is.
>
> For example, with the following rule list:
>
> http_reply_access allow redirect http_reply_access allow jenny_pc
> http_reply_access allow jodys_pc http_reply_access allow
> kates_phone http_reply_access allow kate_laptop http_reply_access
> allow brians_tablet http_reply_access allow allowed_content
> http_reply_access allow pvr_pc http_reply_access allow pvrfe_pc
> http_reply_access allow linux_pc http_reply_access allow localhost
> http_reply_access allow brian_laptop http_reply_access allow
> lab_net http_reply_access allow brian http_reply_access allow kate
> http_reply_access allow fred http_reply_access allow plf
> rpm_content http_reply_access allow thac rpm_content
> http_reply_access allow mandriva rpm_content http_reply_access
> allow gpg_keyservers gpg_content http_reply_access allow ubuntu
> deb_content http_reply_access allow flash_downloads deb_content
> http_reply_access allow windowsupdate windowsupdatere
> http_reply_access allow windowsupdate allowed_wu_content
> http_reply_access allow avgupdate app_oct_content http_reply_access
> allow dl_sf_net app_oct_content http_reply_access deny all
>
> I will get:
>
> 1388416169.296 22 2001.123.45.678:214:d1ff:fe13:45ac
> TCP_DENIED_REPLY/403 3692 GET
> http://af.avg.com/softw/14free/update/x14xplsc_2067ol.bin -
> FIRSTUP_PARENT/127.0.0.1 text/html
>
> However if I move the rule that should allow that URL (allow
> avgupdate app_oct_content) to near the top of the above rule list
> squid will allow the content.
>
> I would think that the order of any "allow" rules should not matter
> as long as they are all before a deny rule. Is that not the case?
> Should what I describe above really happen in any condition?

Order IS important.

Each rule depends on what the rules above it do and whether their side
effects change the state depended on by the weird-acting ACL.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSwpxMAAoJELJo5wb/XPRjNowH/0rOOjQFN5gPq/u1EBq4xeCm
5XT+UNdfhO2QotRSanwAEHP98Xlc0TVuNr9VuCdDq7tB7yqZVOu3GwS8S7ydiBWX
JRH6vjk1afCXFbQzaB2Ng23nBhVhdM51ZwvENcvh0ZjLBBVyvPmLPnpRT8H8/Q5r
zDhMQFMdyK/KTrjcSth3tVhw16tnrgMQKFFAA6yrjuIetZQ6qQmLSzFRTthRFG3x
X+7eThWNRp34R+giOeTTd6Q62WHKJqUu+E90BYocOAUgkoZi9DtXAdLAXCYr/n6r
u30eQYKqsx/dNCWwaWNlB0AHWSc5BHOMjt2iE5yBSvF/Noa9XNk8SjFoczXCE8A=
=xDxv
-----END PGP SIGNATURE-----
Received on Tue Dec 31 2013 - 10:28:39 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 31 2013 - 12:00:05 MST